We are building a bedrock of loyal supporters to ensure a sustainable future for freesewing.org, our code, our patterns, and our community.

This image is probably the only thing in the post you can skim diagonally

The General Data Protection Regulation of the European Union: Our battle plan.

This blog post is about the General Data Protection Regulation (GDPR) of the European Union (EU).
While I cover the basics of GDPR, the main focus is on how it impacts freesewing.org, and what we plan to do to in the 100 days that remain
before GDPR goes into force.

Thoughts on the EU’s GDPR

I have a love/hate relationship with the European Union.
I love what they do and what they stand for, I hate how they do it.

I totally get this dude

The GDPR is no different.
It’s an important piece of legislation that raises the bar for online privacy, which is great.
But as I was reading up on the subject, I felt the urge to rage-quit because OMG bureaucrats.

Allow me to explain.

Privacy needs protection

For better or for worse (I believe for worse) the internet has settled into a modus operandi
where you pay for free stuff with your personal data.
Some people call it people farming, and I think that’s a great term.

The frightful five
are vacuuming up ever more of our personal lives.
Short of never going online, there seems to be precious little we can do about it.

Why the EU is the best

This problem is too big to tackle by any of us.
Who could possibly stand up to the combined power of the tech giants?

Well, how’s this for a CV:

Fined Facebook 110 million euro for misleading statements about their WhatsApp purchase

Ordered Amazon to pay 250 million euro extra taxes in Luxembourg

Fined Google 2.4 billion euro for abusing its dominant position in search

Ordered Apple to pay 13 billion euro extra taxes in Ireland

We're the EU, bitch

When it comes to tech giants, the European Union is all stick/ no carrot.

The General Data Protection Regulation enforces privacy policies that respect users’ rights.
It applies to all EU citizens, all the time, everywhere.

Doesn’t matter if you’re a silicon valley juggernaut, respect the rights of the EU citizens or face the wrath of the eurocracy:

Organizations in breach of GDPR can be fined up to 4% of annual global turnover or 20 million euro (whichever is greater)

Four percent of global turnover is a very big stick.

Why the EU is the worst

What I imagine a Article 29 Working Party looks like

The EU being the EU, the regulation is a mixed bag of lofty goals and ideals, watered down by lobbying groups, and further complicated by the compromise required to get 28 member states on board.

The intentions are great, it’s a great idea, but they are doing a terrible job at selling it — as usual.

The practical implementation is in the hands of the so-called Article 29 Working Party
which is currently keeping busy designing icons
(I am not making this up)
It will change its name to the
European Data Protection Board come May 25th, because you wouldn’t want to get too comfortable with all this jargon now, would you?

The GDPR in practice

If you’re looking for expert advice on GDPR compliance, this is not the place for you.

But if you are curious about the GDPR and what it takes for a website like freesewing.org
to be compliant, read on.

Further reading

If you really want to know what GDPR is, the best thing you can do is
read the damn thing. It ain’t no rocket science.

Why do we need it?

How long do we keep it?

Do we share it?

Consent timing

The GDPR states that you should ask for consent when the data is collected.

With our three types of data processing, that means that consent must be asked at different times:

Profile data: When signing up on the site

Model data: When creating the first model

Patron data: When becoming a patron

This will (also) require some extra work to integrate this in the site.

Respecting basic rights when processing data

The EU enshrines basic rights for its citizens that should be respected when processing data.

Let’s look at each of these rights and their impact on freesewing.org.

The right to be informed

The right to be informed

You need to be transparent about how you use personal data. Why you collect it, how you use it, and so on.

Informing users is something we are still working on. If anything, this blog post is part of that effort.

We will need to design the individual privacy notices, but also a more overall privacy policy as well as
making certain that users are informed of all their rights.

While this will require some work, I don’t expect any problems here.

The right of access

The right of access

People have the right to know their data is processed, and to access that data.

We are already compliant, as all data users enter on the site can also be accessed by them.

The right to rectification

The right to rectification

People have the right to correct their data if it's not correct.

We are already compliant, as all data users enter on the site can also be edited by them.

The right to erasure

The right to erasure

People have the right to have their data removed/erased.

We are already compliant, as users can remove their models, or entire account at any time.

The right to restrict processing

The right to restrict processing

This right means that users must be able to put a freeze on all data processing, without going as far as to delete their data.

We do not currently offer this possibility, and will need to add this functionality to the site.

The right to data portability

The right to data portability

People not only have a right to export all their data, that export should also be in a format that makes it easy for them to take their data elsewhere.

We are already compliant, as we allow users to export all of their data, and make it available in different standard formats (YAML and JSON).

The right to object

The right to object

The right to object applies specifically to:

processing for public interests or by official authorities

processing for direct marketing

processing for science/historic research/statistics

In these cases, people can object to this specific processing.

This is going to apply to us when we start publishing anonymized model data, something that’s on our roadmap.

The reason for publishing this data is that we want to make a dataset available of real body measurements, rather than the
standard measurements that are typically used in the industry.

This is something we’ll write about more at a later date, but essentially this falls under the scientific research/statistics category.
And even though the data is anonimized, we still need to respect the right of users to object to this processing.

As such, we should add the possibility to object to this specific use of the data.

Rights in relation to automated decision making and profiling

Rights in relation to automated decision making and profiling

People have extra rights when it comes to profiling or decisions made by AI or algorithms without human involvement.

This is not relevant in our situation.

Privacy by design

The EU isn’t content with throwing up a couple of consent questions and respecting people’s rights when processing data.
It also wants to make certain that your privacy is (better) protected when things go wrong.

That’s why it advocates for privacy by design. While it’s a concept that’s hard to pin down in legislation, the
purpose is clear: They want everyone to consider privacy from the very start of their project/product/business, and
not as an afterthought.

Things such as encryption (both in transit and for data at-rest), pseudonyms, and data expiry are suggested as
things to keep in mind while designing.

Obviously, the EU is not going to come check your code to see whether you’ve taken privacy by design to heart.
But it can (and probably will) have an influence when things to wrong.

Imagine two companies who have a data leak, one of them hasn’t done much to safeguard the privacy of their users,
whereas the other has taken privacy by design measures to mitigate the damage.

It seems obvious that the EU is going to come down harder on the company who didn’t even try.

What we’re already doing

We already do a number of things that are driven by a privacy by design approach. For example:

These already form a very good basis for a privacy conscious website. But since we’ll need to make changes
for GDPR anyway, we’re considering other options to further raise the privacy bar.
Specifically, what can we do to limit the damage to our users in case there is a data leak.

Restriction of data storage

Some of the most sensitive data we store today is the address and birthday of our higher-tier patrons.

However, the site does not need this information to function. We only need it for administrative purposes;
Sending out gifts and birthday cards to our patrons.

As such, there’s no real need to keep this data in the freesewing database.
We could just as well write this information down in a notebook we keep on our coffee table.

So, as part of our GDPR-related changes, we will remove this information from the database, and store it
offline.

Encryption of data at rest

We already encrypt all data in transit. But, we are currently considering to add encryption of data at rest.

The idea is to encrypt all data that could potentially identify a user.
Such as:

Email address

User name

Model names

Model notes

This would add an extra layer of defense for our users’ privacy in case somehow our database gets dumped.

While this change will be non-trivial to implement and come with a performance penalty, I feel it’s
worth looking in to.

Conclusion

While we still have some work to do, we are already compliant with large parts of the GDPR, especially when
it comes to respecting users rights:

The right to be informed

The right of access

The right to rectification

The right to erasure

The right to restrict processing

The right to data portability

The right to object

Rights in relation to automated decision making and profiling

We are currently working on the right to be informed and have a plan
for the changes required to respect the right to restrict processing and the right to object.

On the data collection site, we need to hammer out the details for our privacy notices.
We’ll also write a detailed privacy policy that bundles all the info from the different notices.

We’ll need to add changes to the user on-boarding to make sure notices are presented at the correct time.
Not to mention that we’ll need to keep track of who gave their consent for what.